Free CRA Readiness Scanner for Open Source Projects
If you maintain an open source project or build software that falls under the EU Cyber Resilience Act, you can now check your CRA readiness for free in under a minute.
cra-scanner is an open source CLI tool that analyzes your project and gives you a CRA readiness score from 0 to 100. It checks three things: whether you have an SBOM, whether you follow basic vulnerability handling practices, and how well your project signals align with CRA requirements.
Install and Run
Install from PyPI: pip install cra-scanner
Scan your project: cra-scanner scan .
Scan with a specific SBOM: cra-scanner scan . --sbom path/to/bom.json
Get JSON output: cra-scanner scan . --format json --output report.json
Fail CI if score is too low: cra-scanner scan . --min-score 50
That is it. No account required, no API keys, no cost.
What It Checks
The scanner evaluates three dimensions:
SBOM (40 points). Does your project have a Software Bill of Materials? Is it in CycloneDX or SPDX format? Does it contain versioned components? The CRA mandates SBOMs for all products with digital elements, so this is the foundation.
Vulnerability Handling Practices (30 points). Does your project have a SECURITY.md file documenting how to report vulnerabilities? Is Dependabot or a similar automated dependency update tool configured? Does your documentation include a security section? These map directly to CRA Annex I, Section 2 requirements.
Vulnerability Exposure (30 points). This dimension scores your known vulnerability status. In the current version this is a placeholder score — full vulnerability matching against NVD, OSV.dev, and CISA KEV is coming in a future release.
Understanding Your Score
A score of 70 or above means your project has the basic CRA readiness infrastructure in place. An SBOM exists, security practices are documented, and dependency management is automated.
A score of 40 to 70 means some foundations are in place but there are gaps. The scanner tells you exactly what is missing and which CRA requirement it maps to.
A score below 40 means significant work is needed. Start with generating an SBOM and creating a SECURITY.md file.
The score is a directional indicator, not legal advice. It helps you identify gaps and prioritize work toward compliance.
Use It in CI/CD
cra-scanner includes a GitHub Action you can add to any repository. In your GitHub Actions workflow, use Complaro/cra-scanner/action@main with the input min-score set to your desired threshold (for example, 40).
The action outputs the overall score, whether an SBOM was found, and a path to the JSON report. It installs cra-scanner from PyPI, runs the scan, and fails the workflow step if the score is below your threshold. Your team sees the CRA readiness score on every pull request.
What Is Coming Next
The roadmap includes:
Vulnerability matching against NVD, OSV.dev, and CISA KEV with version-aware comparison
SARIF output for GitHub and GitLab code scanning integration
CycloneDX VEX output for machine-readable vulnerability disclosure
Auto-SBOM generation from package managers
All code is MIT-licensed and open source at github.com/Complaro/cra-scanner.
For teams that need continuous compliance management, vulnerability intelligence, and ENISA report generation, Complaro provides a full platform. Join the waitlist to get started.